The file is the fundamental object in a computing system for representing system resources. This representation holds true for attached hardware devices and virtual “pseudo” devices that are represented and accessed through a specialized file type known as a “special device file”. The device file acts as the portal to the device and its underlying functionality. This type of file contains no data, but has as part of its attributes, information describing the device. This device information is a device specification, which contains a major and minor number. These values act as indexes or pointers into internal data structures within the operating system. These data structures contain the specific device implementation methods and device properties. Since the special device file is just a redirector to the system device, there can be multiple device files on a system for a given device.
In a typical computing system, device security is limited to native operating system protection mechanisms. This protection is usually file mode bits placed on the special device files. In addition, some device method implementations may perform additional security such as only allowing root access. Often however, the device itself is void of any security policy and relies on the protections of the special device file. If multiple special device files exist for a device, then the security is dependent on which special device file is used in the access. One device file can have strict security and another device file may not have security. The creation of special device files is usually limited to the root user or members of a privileged group. Some environments demand finer levels of security controls on devices and seek to limit the authority of the native privileged user(s). For example, it may be desirable to prevent the creation of alternate device files for a device; even by the local root user. In addition, there may be a desire to have specific controls over which users can use a device. For example, preventing a non-approved user from writing data on a floppy disk drive, which is otherwise public with native security. In the presence of multiple special device files, the most conservative security approach would take into account all the device files, and apply the most restrictive protection. These described capabilities are not present in standard operating systems. An external security manager could enforce such policy on special device files and ultimately on the system devices they represent. The security specifies how the devices are identified and how access via alternate device files to a device are detected and enforced. This detection is possible even if alternate device files are not registered in the externally defined authorization policy.
There is a need for a file system security means that can identify special device files that represent protected system devices. This security means should be able to detect all special device files that represent a specific system device. The security means should have the ability determine whether a special device file representing a protected device is listed with the security means. This security means should be able to detect access attempts to protected system device through special device files that represent protected system devices but are not listed with the security means. This detection should result in enforcement of the protections placed on the accessed system device when the attempted access to the device is through a special device file for which protections where not registered with the security means.